Zulip Server 5.7 security release
Alex Vandiver We released Zulip Server 5.7 today! This is a security release, containing a security fix and several cherry-picked changes since Zulip Server 5.6.
Upgrading
We recommend that all installations upgrade to this new release. See the upgrade instructions in the Zulip documentation. If you need help, best-effort support is available on chat.zulip.org.
Notable changes
- CVE-2022-41914: Fixed the verification of the SCIM account management bearer tokens to use a constant-time comparator. Zulip Server 5.0 through 5.6 checked SCIM bearer tokens using a comparator that did not run in constant time. For organizations with SCIM account management enabled, this bug theoretically allowed an attacker to steal the SCIM bearer token, and use it to read and update the Zulip organization’s user accounts. In practice, this vulnerability may not have been practical or exploitable. Zulip Server installations which have not explicitly enabled SCIM are not affected.
- Fixed an error with deactivating users with
manage.py sync_ldap_user_datawhenLDAP_DEACTIVATE_NON_MATCHING_USERSwas enabled. - Fixed several subtle bugs that could lead to browsers reloading repeatedly when the server was updated.
- Fixed a live-update bug when changing certain notifications settings.
- Improved error logs when sending push notifications to the push notifications service fails.
- Upgraded Python requirements.
CVE-2022-41914 was discovered internally by the Zulip security team.
Community
We love feedback from the Zulip user community. Here are a few ways you can connect:
- Join chat.zulip.org and provide feedback directly to the development community!
- Follow us on Twitter, or join our announcement mailing list (or subscribe to the blog posts, which are mostly a subset of the already low-volume mailing list).